Computer networks are pervasive in today's society. Although networking computers provides tremendous advantages, attaching a computer to a network makes the attached computer susceptible to a variety of malicious attacks.
One type of malicious attack is a distributed reflection denial of service attack (DRDOS attack). A DRDOS attack can take the shape or form of a debilitating bandwidth multiplicative attack on a victim that effectively shuts down a victim. In essence, a DRDOS attack involves an attacker sending to a router a synchronized (SYN) request apparently requesting the opening of a TCP connection. However, instead of sending a source address corresponding to the IP address of the attacker, the attacker sends a spoofed source address corresponding to the IP address of the target of the attack. In response, the router receiving the SYN message sends a synchronized acknowledge signal (SYN+ACK) to the source address received in the SYN message, which corresponds to the IP address of the target, resulting in the router sending the SYN+ACK response to the target rather than to the attacker. If enough such SYN messages are sent, and they are sent to a plurality of different routers, an enormous number of SYN+ACK messages can be dumped on the target. This is particularly true because of the multiplicative effect of the use of a large number of routers. The result is that the aggregating router closest to the victim can find its bandwidth being hogged by such a SYN+ACK flood, thus not permitting the victim any legitimate traffic.
Conventional approaches at addressing this type of attack have not been entirely successful. One example of such an approach is to filter the traffic at the aggregation router closest to the victim so that all traffic headed from particular ports could be prevented. Another solution is to deploy unicast reverse path forwarding checks, egress filtering, etc. that would block all spoofed traffic coming into a victim's network.